Previously all LLM-flagged findings were written to the abuse log,
causing fail2ban to potentially ban IPs for low-severity activity.
Now only high and critical severity findings trigger abuse logging.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix .git/ regex pattern to require leading slash, preventing Gitea
git-protocol URLs from triggering "Sensitive File Probe" alerts.
Add infrastructure context to the LLM system prompt describing
Gitea, Nextcloud, Immich, and Gotify traffic patterns so the
LLM does not flag normal self-hosted service activity.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Ensures consistent casing for attack type labels stored in the
threat database by applying .lower() on input.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Config was a Python file baked into the image or bind-mounted, requiring
a rebuild or manual file management for any settings change. Now uses
env_file in docker-compose with os.environ.get() calls, so config
changes only need a container restart. Also filters Gitea traffic from
LLM analysis to prevent false positive reconnaissance alerts on normal
repository browsing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
